[Bug 271924] short pred1 compressed packet can cause ppp to write off the end of a buffer

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 09 Jun 2023 18:16:17 UTC

            Bug ID: 271924
           Summary: short pred1 compressed packet can cause ppp to write
                    off the end of a buffer
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #242704 text/plain
         mime type:

Created attachment 242704
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242704&action=edit
crash ppp by sending a short pred1 compressed packet

If the sender has negotiated ppp pred1 compression, then sending this
too-short compressed HDLC frame:

  7e fd ff 4f cc 7e

causes ppp's Pred1Input() to pass a negative length to decompress(),
which (since decompress() only checks for equality with zero) is
effectively a huge length.

The negative length comes from this subtraction in Pred1Input():

  olen = m_length(bp);
    len1 = decompress(state, cp, pp, olen - 4);

With the above input frame, the mbuf at this point has a length of 3.

A backtrace from the attached demo ppp27a.c:

#0  0x000009cc8c70aff0 in decompress (state=0x9d4b663c700, 
    source=0x9d4b66f28e9 "", 
    dest=0x9d4b6787000 <error: Cannot access memory at address 0x9d4b6787000>, 
    len=-1025456) at /usr/src/usr.sbin/ppp/pred.c:119
#1  Pred1Input (v=0x9d4b663c700, ccp=0x9d4b65d5340, proto=0x9d4ad6d2f1e, 
    bp=0x9d4b65f8300) at /usr/src/usr.sbin/ppp/pred.c:238
#2  0x000009cc8c6dda10 in ccp_LayerPull (b=<optimized out>, l=<optimized out>, 
    bp=0x9d4b65f8300, proto=0x9d4ad6d2f1e) at /usr/src/usr.sbin/ppp/ccp.c:765
#3  0x000009cc8c6feff4 in link_PullPacket (l=0x9d4b65d4600, 
    buf=<optimized out>, len=<optimized out>, 
    b=0x9cc8c7254b0 <bundle_Create.bundle>) at /usr/src/usr.sbin/ppp/link.c:315
#4  0x000009cc8c6d8e25 in bundle_DescriptorRead (d=<optimized out>, 
    bundle=0x9cc8c7254b0 <bundle_Create.bundle>, fdset=0x9d4b65ff140)
    at /usr/src/usr.sbin/ppp/bundle.c:546
#5  0x000009cc8c702704 in DoLoop (bundle=0x9cc8c7254b0 <bundle_Create.bundle>)
    at /usr/src/usr.sbin/ppp/main.c:661
#6  main (argc=3, argv=<optimized out>) at /usr/src/usr.sbin/ppp/main.c:535

You are receiving this mail because:
You are the assignee for the bug.